diff --git a/docs/03-VLAN-DEVICE-ASSIGNMENT.md b/docs/03-VLAN-DEVICE-ASSIGNMENT.md index 3423090..86a2c84 100644 --- a/docs/03-VLAN-DEVICE-ASSIGNMENT.md +++ b/docs/03-VLAN-DEVICE-ASSIGNMENT.md @@ -7,86 +7,86 @@ ## VLAN Summary -| VLAN | Name | Subnet | Gateway | Purpose | -|------|------|--------|---------|---------| -| 1 | Legacy | 192.168.31.0/24 | 192.168.31.1 | Current flat network | -| 10 | Mgmt | 192.168.10.0/24 | 192.168.10.1 | Infrastructure devices | -| 20 | Trusted | 192.168.20.0/24 | 192.168.20.1 | Family personal devices | -| 30 | IoT | 192.168.30.0/24 | 192.168.30.1 | Smart home devices | -| 35 | Cameras | 192.168.35.0/24 | 192.168.35.1 | Security cameras | -| 40 | Servers | 192.168.40.0/24 | 192.168.40.1 | Servers & printers | -| 50 | Guest | 192.168.50.0/24 | 192.168.50.1 | Guest WiFi | +| VLAN | Name | Subnet | Gateway | Purpose | Comment | +|------|------|--------|---------|---------|---------| +| 1 | Legacy | 192.168.31.0/24 | 192.168.31.1 | Current flat network | To be deprecated | +| 10 | Mgmt | 192.168.10.0/24 | 192.168.10.1 | Infrastructure devices | Admin access only | +| 20 | Trusted | 192.168.20.0/24 | 192.168.20.1 | Family personal devices | Full network access | +| 30 | IoT | 192.168.30.0/24 | 192.168.30.1 | Smart home devices | Internet + limited local | +| 35 | Cameras | 192.168.35.0/24 | 192.168.35.1 | Security cameras | Isolated, NVR access only | +| 40 | Servers | 192.168.40.0/24 | 192.168.40.1 | Servers & printers | Service hosts | +| 50 | Guest | 192.168.50.0/24 | 192.168.50.1 | Guest WiFi | Internet only | --- ## VLAN 10 - Management (Infrastructure) -| Current IP | Target IP | MAC Address | Device | Notes | -|------------|-----------|-------------|--------|-------| -| 192.168.31.1 | 192.168.10.1 | 78:9A:18:2C:A5:48 | HAP1 (hAP ax³) | Router - gateway for all VLANs | -| 192.168.31.2 | 192.168.10.2 | A8:B8:E0:02:B6:15 | XTRM-U (Unraid) | Main server | -| 192.168.31.4 | 192.168.10.4 | 02:42:C0:A8:1F:04 | AdGuard Home | DNS container on Unraid | -| 192.168.31.6 | 192.168.10.6 | 18:FD:74:54:3D:BC | CAP XL ac | Access point | -| 192.168.31.9 | 192.168.10.9 | F4:1E:57:C9:BD:09 | CSS326-24G-2S+ | 24-port switch | -| 192.168.31.22 | 192.168.10.22 | 1C:2A:A3:1E:78:67 | ZX1 (ZX-SWTGW218AS) | 8-port 2.5G switch | -| 192.168.31.20 | 192.168.10.20 | 48:DA:35:6F:BE:50 | NanoKVM | Remote KVM | -| 172.17.0.2 | - | 46:D0:27:F7:1F:CA | AdGuard (MikroTik) | Container on router | -| 172.17.0.3 | - | 0C:AB:39:8D:8C:FC | Tailscale (MikroTik) | VPN container | +| Current IP | Target IP | MAC Address | Device | Notes | Comment | +|------------|-----------|-------------|--------|-------|---------| +| 192.168.31.1 | 192.168.10.1 | 78:9A:18:2C:A5:48 | HAP1 (hAP ax³) | Router | Gateway for all VLANs | +| 192.168.31.2 | 192.168.10.2 | A8:B8:E0:02:B6:15 | XTRM-U (Unraid) | Main server | Docker host, NAS | +| 192.168.31.4 | 192.168.10.4 | 02:42:C0:A8:1F:04 | AdGuard Home | DNS (Unraid) | Secondary DNS | +| 192.168.31.6 | 192.168.10.6 | 18:FD:74:54:3D:BC | CAP XL ac | Access point | CAPsMAN managed | +| 192.168.31.9 | 192.168.10.9 | F4:1E:57:C9:BD:09 | CSS326-24G-2S+ | 24-port switch | Room distribution | +| 192.168.31.22 | 192.168.10.22 | 1C:2A:A3:1E:78:67 | ZX1 (ZX-SWTGW218AS) | 8-port 2.5G switch | Server rack | +| 192.168.31.20 | 192.168.10.20 | 48:DA:35:6F:BE:50 | NanoKVM | Remote KVM | IPMI alternative | +| 172.17.0.2 | - | 46:D0:27:F7:1F:CA | AdGuard (MikroTik) | DNS (Router) | Primary DNS, DoH/DoT | +| 172.17.0.3 | - | 0C:AB:39:8D:8C:FC | Tailscale (MikroTik) | VPN container | Remote access | --- ## VLAN 20 - Trusted (Family Devices) -| Current IP | Target IP | MAC Address | Device | Owner | -|------------|-----------|-------------|--------|-------| -| 192.168.31.79 | 192.168.20.10 | 82:6D:FB:D9:E0:47 | MacBook Air | Nora | -| 192.168.31.98 | 192.168.20.11 | AA:ED:8B:2A:40:F1 | Samsung S25 Ultra | Kaloyan | -| 192.168.31.114 | 192.168.20.12 | F2:B8:14:61:C8:27 | iPhone | Dancho | -| 192.168.31.99 | 192.168.20.13 | 82:EC:EF:B5:F2:AF | MacBook Pro (WiFi) | Kaloyan | -| 192.168.31.108 | 192.168.20.14 | 90:91:64:70:0D:86 | Notebook | Kimi | -| 192.168.31.121 | 192.168.20.15 | 2A:2B:BA:86:D4:AF | iPhone | Kimi | -| 192.168.31.95 | 192.168.20.16 | 08:92:04:C6:07:C5 | MacBook Pro (LAN) | Kaloyan | -| 192.168.31.97 | 192.168.20.17 | 1C:83:41:32:F3:AF | Gaming PC | Kaloyan | -| 192.168.31.107 | 192.168.20.18 | A4:D1:D2:7B:52:BE | iPad | Compusbg | +| Current IP | Target IP | MAC Address | Device | Owner | Comment | +|------------|-----------|-------------|--------|-------|---------| +| 192.168.31.79 | 192.168.20.10 | 82:6D:FB:D9:E0:47 | MacBook Air | Nora | Primary laptop | +| 192.168.31.98 | 192.168.20.11 | AA:ED:8B:2A:40:F1 | Samsung S25 Ultra | Kaloyan | Primary phone | +| 192.168.31.114 | 192.168.20.12 | F2:B8:14:61:C8:27 | iPhone | Dancho | | +| 192.168.31.99 | 192.168.20.13 | 82:EC:EF:B5:F2:AF | MacBook Pro (WiFi) | Kaloyan | Work laptop wireless | +| 192.168.31.108 | 192.168.20.14 | 90:91:64:70:0D:86 | Notebook | Kimi | | +| 192.168.31.121 | 192.168.20.15 | 2A:2B:BA:86:D4:AF | iPhone | Kimi | | +| 192.168.31.95 | 192.168.20.16 | 08:92:04:C6:07:C5 | MacBook Pro (LAN) | Kaloyan | Via Dell KVM dock | +| 192.168.31.97 | 192.168.20.17 | 1C:83:41:32:F3:AF | Gaming PC | Kaloyan | Main bedroom | +| 192.168.31.107 | 192.168.20.18 | A4:D1:D2:7B:52:BE | iPad | Compusbg | Work tablet | --- ## VLAN 30 - IoT (Smart Home) -| Current IP | Target IP | MAC Address | Device | Location | -|------------|-----------|-------------|--------|----------| -| - | 192.168.30.10 | B0:37:95:79:AF:9B | LG TV | Living Room | -| 192.168.31.134 | 192.168.30.11 | D0:E7:82:F7:65:DD | Chromecast | Living Room | -| 192.168.31.104 | 192.168.30.12 | B0:4A:39:3F:9A:14 | Roborock S7 Vacuum | - | -| 192.168.31.105 | 192.168.30.13 | 94:27:70:1E:0C:EE | Bosch Smart Oven | Kitchen | -| 192.168.31.101 | 192.168.30.14 | C8:5C:CC:52:EA:53 | Xiaomi Air Purifier | - | -| 192.168.31.117 | 192.168.30.15 | C8:D7:78:D6:DC:FC | Bosch Washer | - | -| 192.168.31.116 | 192.168.30.16 | C8:D7:78:40:65:40 | Bosch Dishwasher | Kitchen | +| Current IP | Target IP | MAC Address | Device | Location | Comment | +|------------|-----------|-------------|--------|----------|---------| +| - | 192.168.30.10 | B0:37:95:79:AF:9B | LG TV | Living Room | Not seen recently | +| 192.168.31.134 | 192.168.30.11 | D0:E7:82:F7:65:DD | Chromecast | Living Room | Streaming | +| 192.168.31.104 | 192.168.30.12 | B0:4A:39:3F:9A:14 | Roborock S7 Vacuum | - | Needs cloud access | +| 192.168.31.105 | 192.168.30.13 | 94:27:70:1E:0C:EE | Bosch Smart Oven | Kitchen | Home Connect app | +| 192.168.31.101 | 192.168.30.14 | C8:5C:CC:52:EA:53 | Xiaomi Air Purifier | - | Mi Home app | +| 192.168.31.117 | 192.168.30.15 | C8:D7:78:D6:DC:FC | Bosch Washer | - | Home Connect app | +| 192.168.31.116 | 192.168.30.16 | C8:D7:78:40:65:40 | Bosch Dishwasher | Kitchen | Home Connect app | --- ## VLAN 35 - Cameras (Security) -| Current IP | Target IP | MAC Address | Device | Location | -|------------|-----------|-------------|--------|----------| -| 192.168.31.68 | 192.168.35.10 | 48:9E:9D:0E:16:F7 | Reolink Doorbell | Front door | +| Current IP | Target IP | MAC Address | Device | Location | Comment | +|------------|-----------|-------------|--------|----------|---------| +| 192.168.31.68 | 192.168.35.10 | 48:9E:9D:0E:16:F7 | Reolink Doorbell | Front door | PoE powered | --- ## VLAN 40 - Servers (Services) -| Current IP | Target IP | MAC Address | Device | Purpose | -|------------|-----------|-------------|--------|---------| -| 192.168.31.19 | 192.168.40.19 | 64:4E:D7:D8:43:3E | HP LaserJet | Network printer | +| Current IP | Target IP | MAC Address | Device | Purpose | Comment | +|------------|-----------|-------------|--------|---------|---------| +| 192.168.31.19 | 192.168.40.19 | 64:4E:D7:D8:43:3E | HP LaserJet | Network printer | Wired connection | --- ## VLAN 50 - Guest (Isolated) -| Target IP | Notes | -|-----------|-------| -| DHCP Pool: 192.168.50.100-200 | Dynamic assignment | -| Internet only, no local access | | +| Target IP | Purpose | Comment | +|-----------|---------|---------| +| DHCP Pool: 192.168.50.100-200 | Dynamic assignment | No static leases | +| - | Internet only | No local network access | --- @@ -94,16 +94,16 @@ **⚠️ These devices need identification before VLAN assignment:** -| Current IP | MAC Address | Hostname | Vendor (OUI) | Notes | -|------------|-------------|----------|--------------|-------| -| 192.168.31.109 | D0:C9:07:92:1A:8E | - | Unknown | Active | -| 192.168.31.110 | D0:C9:07:8C:C9:46 | - | Unknown | Active | -| 192.168.31.139 | 50:2C:C6:7A:55:39 | - | EMLAB | Active | -| 192.168.31.149 | D4:AD:FC:BE:13:B0 | - | Unknown | Active | -| 192.168.31.106 | 18:DE:50:5B:C8:A6 | wlan0 | Unknown | Active | -| 192.168.31.113 | 38:1F:8D:04:6F:E4 | - | Unknown | Active | -| 192.168.31.15 | AC:87:A3:77:8F:BD | - | Unknown | Static ARP | -| 192.168.31.142 | 22:4C:7F:1D:85:8E | xtrm-pc | Unknown | Dynamic | +| Current IP | MAC Address | Hostname | Vendor (OUI) | Status | Comment | +|------------|-------------|----------|--------------|--------|---------| +| 192.168.31.109 | D0:C9:07:92:1A:8E | - | Unknown | Active | Investigate | +| 192.168.31.110 | D0:C9:07:8C:C9:46 | - | Unknown | Active | Same vendor as .109 | +| 192.168.31.139 | 50:2C:C6:7A:55:39 | - | EMLAB | Active | Lab equipment? | +| 192.168.31.149 | D4:AD:FC:BE:13:B0 | - | Unknown | Active | | +| 192.168.31.106 | 18:DE:50:5B:C8:A6 | wlan0 | Unknown | Active | Generic hostname | +| 192.168.31.113 | 38:1F:8D:04:6F:E4 | - | Unknown | Active | | +| 192.168.31.15 | AC:87:A3:77:8F:BD | - | Unknown | Static ARP | Persistent entry | +| 192.168.31.142 | 22:4C:7F:1D:85:8E | xtrm-pc | Unknown | Dynamic | Randomized MAC? | --- @@ -159,24 +159,24 @@ C8:D7:78:40:65:40 Bosch Dishwasher ## Device Count Summary -| VLAN | Device Count | -|------|--------------| -| 10 - Mgmt | 9 | -| 20 - Trusted | 9 | -| 30 - IoT | 7 | -| 35 - Cameras | 1 | -| 40 - Servers | 1 | -| Unknown | 8 | -| **Total** | **35** | +| VLAN | Device Count | Comment | +|------|--------------|---------| +| 10 - Mgmt | 9 | Infrastructure only | +| 20 - Trusted | 9 | Family members | +| 30 - IoT | 7 | Smart home | +| 35 - Cameras | 1 | Security | +| 40 - Servers | 1 | Services | +| Unknown | 8 | Need identification | +| **Total** | **35** | | --- ## Next Steps -1. **Identify unknown devices** (MAC lookup, physical trace) -2. **Decide WiFi strategy:** - - Option A: Single SSID, MAC-based VLAN (complex) - - Option B: Multiple SSIDs (XTRM-Trusted, XTRM-IoT, XTRM-Guest) -3. **Configure switch port VLANs** for wired devices -4. **Test VLAN routing** before full activation -5. **Update firewall rules** for inter-VLAN traffic +| Step | Action | Comment | +|------|--------|---------| +| 1 | Identify unknown devices | MAC lookup, physical trace | +| 2 | Decide WiFi strategy | Single SSID vs Multiple SSIDs | +| 3 | Configure switch ports | VLAN tagging on CSS326 | +| 4 | Test VLAN routing | Before full activation | +| 5 | Update firewall rules | Inter-VLAN traffic control |